b'OFFICE OF INSPECTOR GENERAL\n\n\nAUDIT OF SELECTED\nAPPLICATION CONTROLS\nOVER THE ANNUAL REPORT\nAPPLICATION SYSTEM\nAUDIT REPORT NO. A-000-06-005-P\nSeptember 27, 2006\n\n\n\n\nWASHINGTON, DC\n\x0cOffice of Inspector General\n\n\nSeptember 27, 2006\n\nMEMORANDUM\n\nTO:                  PPC/DAA, Walter North\n                     M/DCIO, Phil Heneghan\n\nFROM:                AIG/A, Joseph Farinella /s/\n\nSUBJECT:             Audit of Selected Application Controls over the Annual Report Application\n                     System (Report No. A-000-06-005-P)\n\nThis memorandum transmits our final report on the subject audit. We have considered your\ncomments on the draft report and have included them in its entirety in Appendix II.\n\nThis report contains seven recommendations to help USAID improve its controls over the\nAnnual Report Application system. Based on your comments to our draft report, we consider that\nmanagement decisions have been reached for Recommendation Nos. 1, 2, 3, 4, 5, 6, and 7. For\nthese recommendations, please notify the Bureau for Management\xe2\x80\x99s Audit, Performance and\nCompliance Division when final action is completed.\n\nI want to express my sincere appreciation for the cooperation and courtesy extended to my\nstaff during the audit.\n\n\n\n\nU.S. Agency for International Development\n1300 Pennsylvania Avenue, NW\nWashington, DC 20523\nwww.usaid.gov\n\x0cCONTENTS\nSummary of Results ....................................................................................................... 1\n\nBackground ..................................................................................................................... 2\n\nAudit Objective................................................................................................................ 3\n\nAudit Findings ................................................................................................................. 4\n\n     USAID Did Not Implement Effective\n     Application Controls for the Annual\n     Report System ........................................................................................................... 4\n\nEvaluation of Management Comments ....................................................................... 11\n\nAppendix I \xe2\x80\x93 Scope and Methodology ........................................................................ 12\n\nAppendix II \xe2\x80\x93 Management Comments ....................................................................... 14\n\nAppendix III \xe2\x80\x93 Annual Report System Description .................................................... 16\n\nAppendix IV \xe2\x80\x93 Glossary of Selected Information\nSecurity Terms .............................................................................................................. 18\n\x0cSUMMARY OF RESULTS\nThe Information Technology and Special Audits Division of the Office of Inspector\nGeneral in Washington, D.C. conducted this audit to review selected application\ncontrols 1 over the Annual Report (AR) Application system. The Bureau for Policy and\nProgram Coordination (PPC) within USAID, developed, maintained and operated the\nAnnual Report (AR) Application system with contractor support. (See pages 3 and 12.)\n\nThe audit found that USAID did not implement effective application controls for the AR\nsystem. Specifically, USAID did not:\n\n\xe2\x80\xa2       Perform risk assessments to identify the initial types of controls needed for the\n        AR system or conduct follow-up annual assessments to monitor the effectiveness\n        of existing controls (pages 4-5);\n\xe2\x80\xa2       Prepare a security plan that documents the needed (i.e., agreed-upon) controls\n        in the AR system to mitigate risk in conformance with the National Institute of\n        Standards and Technology guidelines (pages 5-7); and\n\xe2\x80\xa2       Implement selected controls, including effective password access controls, as\n        necessitated by Federal requirements (pages 7-8).\n\nThese key deficiencies contributed to numerous other control weaknesses, such as not\nassigning security responsibilities, requiring training for users prior to obtaining access to\nthe AR system, and testing contingency plans. Consequently, USAID has limited\nassurance that the AR\xe2\x80\x99s system controls are effectively mitigating risks of unauthorized\ndisclosure, modification, destruction or loss.\n\nThe primary cause for these weaknesses was that the Cognizant Technical Officer\n(CTO) within the Bureau for Policy and Program Coordination (PPC) did not monitor the\ncontractor\xe2\x80\x99s performance to ensure that the security requirements were performed and\nthat the CTO did not obtain the specialized training needed to support their security\nresponsibilities. More importantly, the Chief Information Officer\xe2\x80\x99s (CIO) office did not\nfully implement its oversight responsibility of monitoring the AR system to ensure that an\nacceptable level of security was established. (See pages 4, 8-9.)\n\nWe made seven recommendations to help USAID improve application controls over the AR\nsystem. (See pages 9-10.)\n\nUSAID management agreed to take corrective action on all seven recommendations in\nthe report. Based on management\xe2\x80\x99s response, management decisions were reached on\nall seven recommendations. (See page 11.)\n\n\n\n\n1\n Application controls are security controls that provide safeguards to protect the computer\nsystem and its information.\n\n\n                                                                                              1\n\x0cBACKGROUND\nThe United States Agency for International Development (USAID), Bureau for Policy and\nProgram Coordination (PPC), developed, maintained and operated the Annual Report\n(AR) Application system with contractor support. 2 The AR system supports USAID\nreporting needs by collecting and analyzing program and resource information from\nworldwide operating units. First deployed in fiscal year (FY) 2002, the AR system\nevolved from the Review, Results, Resource, Request (R4) preparation tool to its present\nuse. The AR system has since become critical for the support of budget and\nperformance reporting requirements and is the primary means for obtaining program\nreporting documentation for the Agency.\n\nThe AR system supports the preparation of:\n\n    \xe2\x80\xa2   USAID\xe2\x80\x99s Congressional Budget Justification (CBJ)\n    \xe2\x80\xa2   USAID\xe2\x80\x99s Performance and Accountability Report (PAR)\n    \xe2\x80\xa2   USAID\xe2\x80\x99s Annual Budget Submission\n    \xe2\x80\xa2   Joint Department of State/USAID\xe2\x80\x99s Performance Plan\n    \xe2\x80\xa2   USAID\xe2\x80\x99s Bureau Program and Budget Submission\n    \xe2\x80\xa2   Office of Management and Budget\xe2\x80\x99s Performance Assessment Rating Tool\n    \xe2\x80\xa2   USAID\xe2\x80\x99s Workforce Planning Request Levels\n\nThe AR system also maps expenditures to strategic objectives in the Statement of Net\nCosts. The changes to the AR system now being proposed include using the system to\ncollect the use of 39 standardized program components 3 to support USAID\xe2\x80\x99s strategic\nplanning process.\n\nThe AR system is predominantly housed, maintained and operated by an off-site\ncontractor. (See Appendix III for a description of the system.)\n\nSeveral legislative and policy-directed mandates define the types of controls that USAID\ncomputer systems should have. These mandates include:\n\n    \xe2\x80\xa2   The Federal Information Security Management Act of 2002 (FISMA),\n        which requires the National Institute for Standards and Technology\n        (NIST) to develop standards and guidelines for information systems used\n        or operated by an agency or by a contractor for an agency or on behalf of\n        an agency; and gives the Office of Management and Budget (OMB)\n        responsibility to oversee and coordinate the development and\n        implementation of NIST standards and guidelines for Federal agencies.\n\n    \xe2\x80\xa2   The OMB Circular A-130, Appendix III, \xe2\x80\x9cSecurity of Federal Automated\n        Information Resources\xe2\x80\x9d (November 28, 2000), which establishes\n\n2\n  Contract Number RAN-C-00-03-00032-00, awarded on August 1, 2003, contains a base year\nand two option years. The second option year expires on July 31, 2006.\n3\n  Program components are the \xe2\x80\x9cbuilding blocks\xe2\x80\x9d of USAID programs. They will be standard\nacross all Operating Units and have associated with them a set of common indicators to facilitate\nperformance management and reporting.\n\n\n                                                                                                2\n\x0c        minimum controls to ensure that adequate security is provided for the\n        agency\xe2\x80\x99s computer systems.\n\n    \xe2\x80\xa2   The USAID Automated Directives System (ADS), Chapter 545 -\n        Information Systems Security, which contains specific mandatory security\n        policies in support of FISMA, OMB and NIST mandates.\n\nAt the start of this audit, PPC organizationally was the system owner of the AR system.\nSubsequent to our audit field work, we learned that some components of the AR system\nwill be replaced 4 by an integrated system to support the Department of State\xe2\x80\x99s Office of\nthe Director of U.S. Foreign Assistance (F). Several USAID PPC personnel who had\nsupported the AR system have been moved into the F bureau to assist in integrating\nUSAID\xe2\x80\x99s AR system and the Department of State\xe2\x80\x99s Country Operational Planning and\nReporting System. As a result of these changes, the recommendations made in this\nreport should also be considered when implementing the new system.\n\nAUDIT OBJECTIVE\nThis audit was added to the OIG\xe2\x80\x99s annual audit plan to answer the following question:\n\n        Did USAID implement effective application controls for the Annual Report\n        (AR) Application system?\n\nA description of our scope and methodology is contained in Appendix I.\n\n\n\n\n4\n  The components for replacement or integration are planned to be identified and evaluated in the\nremaining part of calendar year 2006.\n\n\n                                                                                               3\n\x0cAUDIT FINDINGS\nAlthough USAID through its contractor implemented some security controls, it did not\nimplement effective application controls for the Annual Report (AR) Application system.\nAmong the controls USAID\xe2\x80\x99s contractor did implement were physical access restrictions to\ntheir computer room, the performance of data backups of the AR system, and the\ndevelopment of limited edit checks and password control capabilities within the AR\nsystem. USAID also developed security policies and procedures to support information\ntechnology acquisitions and conducted ad hoc training for AR system users.\n\nHowever, USAID did not implement effective application controls for the AR system. As\ndescribed below, USAID did not (1) perform risk assessments; (2) prepare a security plan\nwhich may include identifying the AR system as a major application; and (3) implement\nselected controls, including effective password controls, as mandated by Federal\nrequirements.\n\nThe risk assessment, security plan, and passwords are critical key controls that serve not\nonly to support other application control categories (i.e., audit and accountability controls),\nbut also to define and manage the risks of the AR system and the information it contains.\n\nUSAID Did Not Implement Effective\nApplication Controls for the AR System\n Summary \xe2\x80\x93 USAID did not implement effective application controls for the AR system.\n Specifically, USAID did not (1) perform risk assessments, (2) prepare a security plan,\n and (3) implement selected controls, including effective passwords, in accordance with\n the Federal Information Security Management Act (FISMA), the Office of Management\n and Budget (OMB) and USAID requirements. This occurred because the Office of\n Policy and Program Coordination (PPC)\xe2\x80\x94the system owner\xe2\x80\x94 (1) did not monitor the\n contractor\xe2\x80\x99s performance to ensure that the security requirements were performed\n and (2) obtain for the Cognizant Technical Officer (CTO) the specialized training\n needed to define and support their security responsibilities. In addition, USAID\xe2\x80\x99s\n Chief Information Security Officer did not conduct oversight reviews to re-evaluate the\n system as it evolved and ensure that minimum security requirements existed for the\n AR system. Consequently, USAID places the confidentiality, integrity and availability\n of the AR system and data at risk of unauthorized disclosures, modifications,\n destruction or loss.\n\n\nRisk assessments are needed for the AR system - The purpose of an initial risk\nassessment is to identify risks to the computer system and the information contained in it\nso that appropriate controls can be defined and implemented to reduce or eliminate those\nrisks to an acceptable level. Performing subsequent assessments helps ensure that\ncontrols are working as intended. Federal agencies that utilize contractors to install\nand/or maintain computer systems are fully responsible and accountable for ensuring\nthat FISMA and related policy requirements are implemented, reviewed, and included in\nthe terms of the contract.\n\n\n\n\n                                                                                             4\n\x0c   \xe2\x80\xa2   FISMA (section 3544) requires Federal agencies to conduct periodic assessments\n       of all systems, including systems and information managed by a contractor on\n       behalf of the agency, at least annually.\n\n   \xe2\x80\xa2   USAID\xe2\x80\x99s policy ADS 545.3.1.4 Risk Management states that the individual\n       responsible for daily and operational management of each specific system must\n       (1) conduct an initial risk assessment for each information system using USAID\n       published procedures and guidelines, (2) conduct follow-up risk assessments\n       annually, or whenever the system or its operating environment significantly\n       changes; and (3) take corrective actions to mitigate vulnerabilities detected\n       during risk assessments.\n\nHowever, PPC (the system owner) did not conduct risk assessments in accordance with\nFISMA requirements and USAID policy. Specifically, the Cognizant Technical Officer\n(CTO) responsible for monitoring the contract did not ensure that initial and subsequent\nannual assessments of the AR system were performed and appropriately documented.\nFurther, the CTO was not fully aware of FISMA and USAID requirements to perform risk\nassessments. (This is discussed in more detail in the \xe2\x80\x9cCauses and Impacts of Problems\nIdentified\xe2\x80\x9d section of the report.)\n\nA system security plan is needed for the AR system \xe2\x80\x93 A system security plan\n(Plan) is a formal document that provides an overview of the security requirements and\ndescribes the security controls in place or planned for meeting those requirements.\nThe Plan defines the agreed-upon controls that the AR system should have to mitigate\nrisks.\n\nOMB Circular A-130, Appendix III, requires Federal agencies to develop security plans\nconsistent with NIST Special Publication 800-18, \xe2\x80\x9cGuide for Developing Security Plans\nfor Federal Information Systems,\xe2\x80\x9d which states in part that all information systems must\nbe covered by a system security plan.\n\nFurther, to develop a security plan, the system owners, in collaboration with the Chief\nInformation Security Officer (CISO), must decide if the AR system is covered as a\n\xe2\x80\x9cmajor application\xe2\x80\x9d or a \xe2\x80\x9cgeneral support system.\xe2\x80\x9d OMB Circular A-130, Appendix III,\ndefines a \xe2\x80\x9cmajor application\xe2\x80\x9d as an application that requires special attention to security\ndue to the risk and magnitude of harm resulting from the loss, misuse or unauthorized\naccess to or modification of the information in the application. The Circular also\ndefines the term "major information system" as an information system that requires\nspecial management attention because of its importance to an agency mission or its\nsignificant role in the administration of agency programs, finances, property, or other\nresources.     OMB defines a general support system as a system that consists of\nhardware and software to provide general data processing and telecommunication\nsupport for a number of applications (e.g., the local area network).\n\nHowever, as discussed in the following sections, USAID did not (1) develop a security\nplan for the AR system in accordance with FISMA, NIST and OMB requirements and\n(2) consider identifying the AR system as a major application.\n\n\n\n\n                                                                                              5\n\x0c       The AR system security plan was not developed \xe2\x80\x93 ADS 545 gives the\nsystem owners the responsibility for (1) ensuring that a security plan is prepared, (2)\nimplementing the plan, and (3) monitoring its effectiveness. Further, OMB directs\nagencies to develop security plans that address the following:\n\n   \xe2\x80\xa2   Rules of behavior\n   \xe2\x80\xa2   Security training\n   \xe2\x80\xa2   Personnel screening\n   \xe2\x80\xa2   Continuity of support or contingency planning\n   \xe2\x80\xa2   Technical security controls\n   \xe2\x80\xa2   Review of controls, and\n   \xe2\x80\xa2   Authorization of Processing\n\nHowever, USAID did not have a security plan for the AR system. Specifically, although\nthe contract required the contractor to develop a system security plan in accordance\nwith NIST 800-18, the CTO responsible for monitoring performance of the contract did\nnot ensure that a Plan was developed for the AR system. (This is discussed in more\ndetail in the \xe2\x80\x9cCauses and Impacts of Problems Identified\xe2\x80\x9d section of the report.)\n\n        The AR System Plan may need to identify the system as a major\napplication \xe2\x80\x93 As previously stated OMB defines the term \xe2\x80\x9cmajor application system\xe2\x80\x9d\nas an information system that requires special management attention because of its\nsignificant role in the administration of agency programs, finances, property, or other\nresources. NIST 800-18 further states that \xe2\x80\x9cmajor applications\xe2\x80\x9d are by definition \xe2\x80\x9cmajor\ninformation systems\xe2\x80\x9d and must have a moderate to high impact level on the agency.\n\nIn its fiscal year 2005 FISMA report, USAID did not list the AR system as a \xe2\x80\x9cmajor\ninformation system.\xe2\x80\x9d As such, USAID considered the AR system as a non-major or\nminor application system that runs on the general support system. However in\naccordance with OMB Circular A-130 and NIST guidelines, we believe that the AR\nsystem may meet the criteria for a \xe2\x80\x9cmajor application.\xe2\x80\x9d\n\nFor example, various factors\xe2\x80\x94including the high visibility of the AR system process,\nthe criticality of its functions, and its use as a tool to prepare, among other documents,\nthe Congressional Budget Justification and the Agency\xe2\x80\x99s resource requests\xe2\x80\x94warrant,\nwe believe, special management attention to the system\xe2\x80\x99s security as required by OMB\nCircular A-130. To illustrate:\n\n   \xe2\x80\xa2   USAID\xe2\x80\x99s PPC acknowledges the importance of the AR system by stating in their\n       FY2006 annual guidance:\n\n               \xe2\x80\x9cThe Annual Report application has become the Agency\xe2\x80\x99s primary\n               program reporting document; it is critically important for a number of\n               budget and performance reporting requirements. In addition, the Annual\n               Report application is one of the tools of the Agency\xe2\x80\x99s strategic\n               management reform and as such serves as the operational plan for all\n               units. Due to the importance of the information collected in the Annual\n               Report, PPC will advise senior management of all Missions that fail to\n               fully meet the requirements herein.\xe2\x80\x9c\n\n\n\n\n                                                                                             6\n\x0c   \xe2\x80\xa2   USAID\xe2\x80\x99s PPC officials stated that without the AR system, these functions could not\n       readily be performed using spreadsheets and word processing programs and to do\n       so would be time consuming, laborious and produce results of questionable\n       accuracy. Furthermore, PPC officials questioned whether such an option could be\n       supported with existing staff resources. Information provided by, and stored in, the\n       AR system is critical for USAID to request funding and carry out planning and\n       budgeting. One PPC official indicated that USAID operations would cease if the\n       AR system became unavailable since there was no alternative to preparing\n       USAID\xe2\x80\x99s Congressional Budget Justification.\n\n   \xe2\x80\xa2   USAID\xe2\x80\x99s geographic and functional bureaus currently use the AR system for\n       preparing the Agency\xe2\x80\x99s Congressional Budget Justification and for their program\n       planning and budgeting. In addition, the Office of Financial Management uses the\n       system data for its Statement of Net Costs and for mapping USAID expenditures\n       to its strategic objectives. USAID\xe2\x80\x99s increased use and reliance upon the system\n       has made it critical to Agency operations.\n\n   \xe2\x80\xa2   Lastly, the OIG\xe2\x80\x99s limited impact assessment concluded that the AR system\xe2\x80\x99s\n       rating is at least \xe2\x80\x9cmoderate.\xe2\x80\x9d This means that the potential impact on USAID,\n       should certain events occur, would be to jeopardize the information and\n       information systems needed by the Agency to accomplish its assigned mission,\n       protect its assets, and maintain its day-to-day functions. This impact level is\n       consistent with NIST Federal Information Processing Standard (FIPS) 199,\n       Standards for Security Categorization of Federal Information and Systems; NIST\n       800-18, which requires major applications to have a moderate to high impact\n       rating; and NIST 800-60, Guide for Mapping Types of Information and\n       Information Systems to Security Categories, which correlates information to\n       predefined impact levels.\n\nIn our opinion, USAID\xe2\x80\x99s use of and reliance on the AR system appears to meet OMB\xe2\x80\x99s\ndefinition of a major application. The reports produced by the AR system and the\ninformation contained within it could only be produced with increased investment, time and\neffort. The loss of this system could be detrimental to Agency operations. Therefore, we\nbelieve that USAID should consider identifying the AR system as a major application.\n\nImplementation of security controls needed \xe2\x80\x93 NIST 800-18 requires agencies to\nclearly identify their security controls and include a description of the considerations\nmade for implementing security controls. Additionally, OMB A-130 Appendix III directs\nagencies to develop security plans that address specific security controls. The table on\nthe next page depicts selected OMB A-130 Appendix III security controls and our\nassessment as to whether these controls were implemented for the AR system.\n\n\n\n\n                                                                                         7\n\x0c                OMB A-130 Appendix III \xe2\x80\x93 Selected Controls                                   Implemented\n                       Required in Security Plan                                           for AR System?\nHas security been assigned to a management official knowledgeable of the information\nand processes supported by the application?                                                      No\nHave rules been established concerning use and behavior of individuals with access to\nthe application to provide security to the application and information in it?                    No\nDid users receive specialized training focused on their responsibilities and application\nrules prior to receiving access to the application?                                              No\nHave separation of duties, along with least privilege and individual accountability\ncontrols, been incorporated into the application and application rules?                        Partially\nHas contingency planning and periodic testing of the application been performed?                 No\nHave independent reviews or audits of the security controls been performed at least\nevery 3 years?                                                                                   No\nHas a management official authorized in writing the use of the application by\nconfirming that its security plan as implemented adequately secures the application\nand reauthorizes its use at least every 3 years?                                                 No\n\nAs illustrated in the table above, USAID did not (1) assign a systems security officer to\nthe AR system, (2) ensure that formal rules of behavior and specialized training were\nprovided prior to an AR system user being granted access to the AR system, (3)\nconduct periodic contingency testing of the AR system, (4) conduct independent\nreviews or audits of the security controls, and (5) authorize the use of the AR system.\nIn addition, although USAID partially implemented the capability to separate end-users\nand super-user privileges into the AR system by user identifications and passwords as\nexplained below, PPC did not effectively implement passwords controls.\n\n        Effective password controls needed \xe2\x80\x93 OMB A-130 Appendix III, states that\nagencies are required to establish controls to ensure adequate security. For example,\nauthentication of individual users is an important management control, for which\npassword protection is a control mechanism. However, password protection will only\nbe effective if a strong technology is employed and managed to ensure that it is used\ncorrectly. USAID\xe2\x80\x99s ADS 545.3.3.1, Identification and Authentication (Passwords)\nrequires the use of password standards and procedures.\n\nNevertheless, contrary to ADS policy, USAID did not use effective password controls.\nFor example:\n\n      \xe2\x80\xa2   Passwords were not always required.\n      \xe2\x80\xa2   Passwords had no expiration dates.\n      \xe2\x80\xa2   Passwords had no requirement for complex construction.\n      \xe2\x80\xa2   Passwords were not masked or hidden when signing in.\n      \xe2\x80\xa2   The super-users who administer user accounts could view all users\xe2\x80\x99 passwords\n          within their own bureaus because the passwords were not encrypted.\n      \xe2\x80\xa2   Some accounts had blank passwords on the database server. 5\n5\n    The Database Administrator promptly corrected this situation during the audit.\n\n\n\n                                                                                                           8\n\x0cCauses and Impacts of Problems Identified \xe2\x80\x93 This audit identified a number of\ncontrol weaknesses related to the AR system. We attribute these weaknesses to the\nCTO\xe2\x80\x99s need to:\n    1. exercise more active monitoring of the contractors to ensure that they are\n       performing their security tasks and safeguarding the AR system, and\n    2. obtain specialized training that focuses on defining and supporting security\n       responsibilities.\nMore importantly, the CISO in the Chief Information Officer\xe2\x80\x99s (CIO) office needs to fully\nimplement his oversight responsibilities to ensure that an acceptable level of security is\nestablished for the AR system.\nThe contract supporting the AR system operations, awarded in August 2003, required\nthe contractor to comply with OMB A-130, NIST Special Publication 800-18, and ADS\n545, \xe2\x80\x9cInformation Systems Security.\xe2\x80\x9d All of these guidelines and USAID policies call for\nconducting risk assessments, preparing security plans, and implementing security\ncontrols for systems. However, USAID did not implement the guidelines and its own\npolicies to protect the AR system. Specifically, the CTO did not monitor the contractor to\nensure that the cited requirements were done. This, in part, was due to the CTO not\nbeing fully aware of the security requirements that should be implemented. Prior to\nspeaking with us, the CTO did not know that risk assessments or security plans with\nimplemented or planned controls were needed for the AR system. She indicated that\nshe had not received the specialized training for employees with significant security\nresponsibilities, which is required by FISMA.\nIn addition, ADS 545 states that the CISO must verify that the security level has been\ncorrectly established for each USAID information system. ADS 545 also states that the\nCISO must validate for each USAID information system that the appropriate managerial,\noperational and technical controls have been selected and implemented by the system\nowners. Although the CISO office staff conducted earlier reviews of the AR system, the\nCISO did not continue to monitor the system as it evolved to ensure that an acceptable\nlevel of security existed and that appropriate controls were implemented.\nWithout conducting initial and annual risk assessments, ensuring the AR system is\ncovered by a system security plan, and ensuring effective passwords, the Agency has\nlimited assurance that the AR system controls are appropriately addressing the risks\nand are functioning as intended. Consequently, the confidentiality, integrity and\navailability of the AR system and data are at risk and may not be protected from\nunauthorized disclosures, modifications, destruction and loss.\nSubsequent to our fieldwork, we learned that some components of USAID\xe2\x80\x99s AR system\nwill eventually be phased out and replaced6 by an integrated Department of State and\nUSAID system to support the Office of the Director of US Foreign Assistance (F) within\nthe Department of State. The types of system controls mentioned in this report should\nbe considered in F bureau\xe2\x80\x99s efforts in developing a new joint integrated system.\nTherefore, we are making several recommendations to help USAID improve its\ncontrols over the AR system.\n\n\n6\n The components for replacement or integration are planned to be identified and evaluated in the\nremaining part of calendar year 2006.\n\n\n                                                                                               9\n\x0cRecommendation No. 1: We recommend that the Office of Policy and Program\nCoordination, in collaboration with the Chief Information Security Officer, re-evaluate\nthe categorization of the Annual Report system and determine if it should be\nconsidered a major application system as defined by the Office of Management and\nBudget and the National Institute of Standards and Technology.\n\nRecommendation No. 2: We recommend that the Office of Policy and Program\nCoordination, in collaboration with the Chief Information Security Officer, ensure that\nthe Annual Report system is covered by a security plan as appropriate for the\ncategorization of the Annual Report system.\n\nRecommendation No. 3: We recommend that the Office of Policy and Program\nCoordination, in collaboration with the Chief Information Security Officer, ensure that\na risk assessment of the Annual Report system is performed in conformance with the\nNational Institute of Standards and Technology guidance to assist in categorizing\nand identifying the appropriate level of system controls for the Annual Report system.\n\nRecommendation No. 4: We recommend that the Office of Policy and Program\nCoordination implement the appropriate controls to protect the Annual Report\nsystem. At a minimum, the security plan covering the Annual Report system controls\nshould include:\n\n   \xe2\x80\xa2   Assigning security responsibilities.\n   \xe2\x80\xa2   Establishing formal rules of behavior and providing training prior to a user\n       being granted access to the Annual Report system.\n   \xe2\x80\xa2   Conducting periodic contingency testing of the Annual Report system.\n   \xe2\x80\xa2   Conducting independent reviews or audits of the security controls.\n   \xe2\x80\xa2   Authorizing the Annual Report system for processing (if appropriate).\n\nRecommendation No. 5: We recommend that the Office of Policy and Program\nCoordination implement improved password controls over the Annual Report system\nin accordance with Automated Directives System-545 standards.\n\nRecommendation No. 6: We recommend that the Office of Policy and Program\nCoordination provide the Cognizant Technical Officer for the Annual Report system\nspecialized information systems security training to help ensure that information\nsystems security deliverables are appropriately defined, evaluated and monitored for\nperformance.\n\nRecommendation No. 7: We recommend that the Chief Information Security Officer\nconduct a review of his oversight responsibilities and implement identified\nimprovements to ensure that the Annual Report system has continued compliance\nwith applicable Federal requirements.\n\n\n\n\n                                                                                    10\n\x0cEVALUATION OF\nMANAGEMENT COMMENTS\nUSAID\xe2\x80\x99s Deputy Assistant Administrator for the Office of Policy and Program\nCoordination (PPC) and the Acting Chief Information Officer (CIO) prepared a\nconsolidated written response to our draft report. The consolidated response is included\nin its entirety in Appendix II of this report.\n\nUSAID management agreed to take corrective action on all seven recommendations in\nthe report. For Recommendation Nos. 1, 2, 3, 4, 6, and 7, USAID management provided\ncorrective action plans and target completion dates. Additionally, a management\ndecision was made for Recommendation No. 5 and documentation is pending for final\naction. Therefore, we consider that management decisions have been reached for the\nabove recommendations.\n\n\n\n\n                                                                                     11\n\x0c                                                                              APPENDIX I\n\n\n\nSCOPE AND METHODOLOGY\nScope\nThe Office of Inspector General, Information Technology and Special Audits Division,\nperformed this audit in accordance with generally accepted government auditing\nstandards. The purpose of the audit was to determine whether USAID implemented\neffective controls over its Annual Report (AR) Application system. Audit fieldwork was\nconducted at USAID headquarters in Washington, D.C. and at the offices of the LTS\nCorporation in the Washington, D.C. metropolitan area from November 29, 2005,\nthrough April 17, 2006. Our scope also included input from AR system users in\noverseas operating units.\n\nIn support of our audit objective, we selectively considered the following areas, among\nothers, in our review:\n\n\xe2\x80\xa2   Risk Assessments and Security Plans\n\xe2\x80\xa2   Access Controls\n\xe2\x80\xa2   Audit Trials\n\xe2\x80\xa2   Contingency Planning\n\xe2\x80\xa2   Training\n\nThough several contracting issues were identified during the audit, an audit of the terms\nof the contract was outside the scope of this audit.\n\nMethodology\nFor the purpose of this audit, application controls were defined as security controls that\nprovide management, technical and operational safeguards to protect the confidentiality,\nintegrity and availability of the system and its information. As a basis for our evaluation,\nwe relied primarily upon the National Institute for Standards and Technology (NIST)\nSpecial Publication 800-53, \xe2\x80\x9cRecommended Security Controls for Federal Information\nSystems,\xe2\x80\x9d as the framework for identifying the types of controls to be included in our\naudit. We also used the Office of Management and Budget (OMB) Circular A-130, the\nFederal Information Security Management Act of 2002 and guidance issued by the\nInstitute of Internal Auditors, Information Systems Audit and Control Association,\nDefense Information Systems Agency, NIST Federal Information Processing Standards\nPublication 199, and other NIST publications.\n\nWe interviewed direct-hires and contractors from USAID\'s Office of Program and Policy\nCoordination, Bureau for Asia and Near East, Bureau for Africa, and the Office of\nInformation Resources Management. In addition, we obtained input from USAID\xe2\x80\x99s\noverseas missions through the use of a questionnaire.\n\nAs noted above, a survey of USAID\xe2\x80\x99s overseas missions on the AR system was made\nthrough a questionnaire sent to 66 AR system users in 15 different countries. Twenty-two\nof the 66 individuals responded. This list of AR system overseas mission users was\nprovided by the contractor that supports the AR system. The purpose of the survey\n\n\n\n                                                                                         12\n\x0cquestionnaire was to determine how these operating units managed access to and use of\nthe application.\n\nWe reviewed relevant laws, regulations, leading practices, and USAID policies,\nprocedures, and guidance. We also reviewed the Agency contract regarding the AR\nsystem and results of other audits and reviews related to our audit objective. In\ninstances where documentation was not available to test, verify or support a specific\nsecurity control area, we used the responses received from Agency and Contractor\npersonnel as a basis for determining the security control\xe2\x80\x99s effectiveness. Additionally,\nwe conducted a preliminary evaluation of the AR system to determine whether the AR\nsystem could be categorized in a security plan as a major application using criteria\nestablished in NIST\xe2\x80\x99s Federal Information Publication Standard 199, supporting Special\nPublications 800-18, 800-37, 800-53, 800-60 and OMB Circular A-130.\n\nUsing the above information, we identified and reported on selected security areas that\nwe perceived as high risk based on the significance and sensitivity of that process, the\nlikelihood that the particular process may not achieve its intended control objective, and\nthe reliance of a particular process that supports other processes. Consequently, not all\nthe security areas we reviewed are mentioned in the report.\n\nA specific materiality threshold was not set for the audit. Instead, we used our judgment\nin determining sampling sizes to assess the AR system since the population was too\nsmall for statistical sampling.\n\n\n\n\n                                                                                       13\n\x0c                                                                          APPENDIX II\n\n\n\nMANAGEMENT COMMENTS\n\n\n                                                                 September 22, 2006\n\nMEMORANDUM\n\nTO:           AIG/A, Joseph Farinella\n\nFROM:         PPC/DAA, Walter North /s/\n              CIO/A, Phil Heneghan /s/\n\nSUBJECT:      Audit of Selected Application Controls over the Annual Report Application\n              (AR) System, dated August 24, 2006\n              IG Report No. A-000-06-00X-P\n\n      Thank you for your report. Below are our management decisions for the seven\nrecommendations in the report.\n\nRecommendation No. 1: Re-evaluate the Annual Report (AR) system and determine if\nit is a major application system.\n\nManagement Decision: PPC will conduct an evaluation of the AR system and make a\ndetermination whether it is a major application by July 2007.\n\nRecommendation No. 2: The AR system must have an appropriate security plan.\n\nManagement Decision: PPC will develop a security plan for the AR system by July\n2007.\n\nRecommendation No. 3: A risk assessment of the AR system should be performed to\nidentify the appropriate level of system controls.\n\nManagement Decision: PPC will conduct a risk assessment for the AR system by July\n2007.\n\nRecommendation No. 4: At a minimum, the IG recommends that certain AR system\ncontrols be included in the security plan.\n\nManagement Decision: PPC will follow the new CISO guidance (to be issued by March\n2007) to identify the system controls to be included in the security plan for the AR\nsystem by July 2007.\n\n\n\n\n                                                                                     14\n\x0c                                          -2-\n\nRecommendation No. 5: Implement improved password controls.\n\nManagement Decision: PPC has already implemented improved password controls in\naccordance with ADS-545 standards.\n\nRecommendation No. 6: The CTO for the AR system should receive information\nsystems security training to ensure that information systems security deliverables are\ndefined, evaluated and monitored for performance.\n\nManagement Decision: PPC will complete this training on or before November 30,\n2006.\n\nRecommendation No. 7: We recommend that the Chief Information Security Officer\nconduct a review of his oversight responsibilities and implement identified improvements\nto ensure that the AR system has continued compliance with the Federal requirements.\n\nManagement Decision: The CISO will conduct a review of oversight responsibilities\nrelated to the AR system and an establish procedures to implement identified\nimprovements by July 2007.\n\n\n\n\n                                                                                         15\n\x0c                                                                              APPENDIX III\n\n\n\nAnnual Reporting System Description\nFor each fiscal year, various additions and modifications are made to the Annual Report\n(AR) Application system by the Office of Policy and Program Coordination (PPC), with\ncontractor support, to meet the Agency\xe2\x80\x99s reporting information needs and requirements\ndriven by legislation and other Federal mandates and initiatives. The information\ncollection process starts with the issuance of the AR guidance and an electronic\ndistribution of the AR system software to Agency operating units by PPC and the Bureau\nfor Legislative and Public Affairs. The AR guidance covers a broad range of budget\ndata, performance data, and narrative topics to be collected for the Agency\xe2\x80\x99s various\ninternal and external stakeholders. The Agency\xe2\x80\x99s overseas operating units receive and\ninstall the AR system software for users at their site. There they prepare and submit\ntheir information through the AR system back to Washington, DC, over USAID\xe2\x80\x99s network\n(AIDNet). In Washington, each operating unit\xe2\x80\x99s submission is stored in a core database\nsystem for the Regional Bureaus to access, review, analyze, and modify before the data\nis officially submitted to PPC. When the AR information is officially finalized, PPC\nextracts information from the AR system in coordination with other Agency offices to\nprepare internal and external reports (e.g. Performance and Accountability Report (PAR)\nand Congressional Budget Justification (CBJ)). This process is repeated annually and\ngenerally starts during the first quarter of each new fiscal year. However, the previous\nyear\xe2\x80\x99s information is available within the system for review and inclusion in the current\nyear\xe2\x80\x99s submission.\n\nThe AR system is a Microsoft Windows-based client server application7. As shown in\nthe diagram on the next page, the core of the AR system is a central database that runs\non Microsoft SQL Server software in a contractor-supported facility located in the\nWashington, DC metropolitan area. In conjunction with the core AR central database,\nan AR client application (i.e., a small database program using MS Access with a user\ninterface) is installed on a user\xe2\x80\x99s computer to input, query and submit data. A dedicated\ncommunication line connects USAID Headquarters to the contractor facility, allowing\nHeadquarters personnel with the AR client application to input and retrieve data from the\nAR central database. However, personnel in overseas operating units do not have direct\naccess to the AR central database. Each overseas operating unit, upon local completion\nand approval of their input into the local AR client application, transmits its consolidated\nAR client application database back to Headquarters over the Ageny\xe2\x80\x99s network (AIDNet)\nand through a dedicated communication line for electronic storage at the contractor\xe2\x80\x99s\nfacility. Around mid-December, PPC, with contractor support, imports the AR client\napplication databases from each operating unit into the core AR central database where\nit is accessed by Headquarters personnel. The AR system does not directly receive\ninformation from any other Agency system. The diagram below represents a high-level\npictorial representation of the AR system.\n\n\n\n7\n Client-server application: Describes the relationship between two computer programs in which\none program, the client, makes a request from another program, the server, which fulfills the\nrequest and provides a convenient way to interconnect programs that are distributed across\ndifferent locations.\n\n\n\n\n                                                                                          16\n\x0c                            Overseas Operating\nWashington DC               Units\nMetro Area\n\n\n\n\n                Network\n                (AID NET)\n\n\n\n\n                                                 17\n\x0c                                                                    APPENDIX IV\n\n\n\nGlossary of Selected\nInformation Security Terms\nAccess Control \xe2\x80\x93     The process of granting or denying specific requests (1) to\n                     obtain and use information and related information\n                     processing services and (2) to enter specific physical\n                     facilities.\n\nAccountability \xe2\x80\x93     The security goal that generates the requirement for\n                     actions of an entity to be traced uniquely to that entity.\n\nApplication \xe2\x80\x93        The use of information resources (information and\n                     information technology) to satisfy a specific set of user\n                     requirements.\n\nAvailability \xe2\x80\x93       Ensuring timely and reliable access to and use of\n                     information.\n\nAudit \xe2\x80\x93              Independent review and examination of records and\n                     activities to assess the adequacy of system controls, to\n                     ensure compliance with established policies and\n                     operational procedures, and to recommend necessary\n                     changes in controls, policies, or procedures.\n\nAuthentication \xe2\x80\x93     Verifying the identity of a user, process, or device, often as\n                     a prerequisite to allowing access to resources in an\n                     information system.\n\nConfidentiality \xe2\x80\x93    Preserving authorized restrictions on information access\n                     and disclosure, including means for protecting personal\n                     privacy and proprietary information.\n\nInformation System\nOwner \xe2\x80\x93              Official responsible for the overall procurement,\n                     development, integration, modification, or operation and\n                     maintenance of an information system.\n\nIdentification \xe2\x80\x93     The process of verifying the identity of a user, process, or\n                     device, usually as a prerequisite for granting access to\n                     resources in an IT system.\n\nImpact \xe2\x80\x93             The magnitude of harm that can be expected to result from\n                     the consequences of unauthorized disclosure of\n                     information, unauthorized modification of information,\n                     unauthorized destruction of information, or loss of\n                     information or information system availability.\n\n\n\n\n                                                                                18\n\x0cIntegrity \xe2\x80\x93              Guarding against improper information modification or\n                         destruction; includes ensuring information non-repudiation\n                         and authenticity.\n\nRisk Assessment \xe2\x80\x93        The process of identifying risks to agency operations\n                         (including mission, functions, image, or reputation), agency\n                         assets, or individuals by determining the probability of\n                         occurrence, the resulting impact, and additional security\n                         controls that would mitigate this impact. Part of risk\n                         management, synonymous with risk analysis, and\n                         incorporates threat and vulnerability analysis.\n\nSecurity Controls \xe2\x80\x93      The management, operational, and technical controls (i.e.,\n                         safeguards or countermeasures) prescribed for an\n                         information system to protect the confidentiality, integrity,\n                         and availability of the system and its information.\n\nSystem Security Plan \xe2\x80\x93   Formal document that provides an overview of the security\n                         requirement for the information system and describes the\n                         security controls in place or planned for meeting those\n                         requirements.\n\n\n\n\n                                                                                   19\n\x0cU.S. Agency for International Development\n        Office of Inspector General\n        1300 Pennsylvania Ave, NW\n          Washington, DC 20523\n            Tel: (202) 712-1150\n            Fax: (202) 216-3047\n            www.usaid.gov/oig\n\x0c'